Breach Notification Rules Get a Makeover

Rules about notifying patients when their electronic protected health information (PHI) has been breached — that is, used or disclosed impermissibly — got stronger under HIPAA, while a new state law brought some relief.

The HIPAA omnibus rules (PDF) bolsters federal breach requirements by clarifying when practices must report breaches of unsecured health information to the U.S. Health and Human Services Department.

Any breach is now presumed reportable unless, after completing a risk analysis, you are able to demonstrate there is a “low probability of PHI compromise.” Practices must consider these four factors in the risk analysis:

Who obtained the unauthorized access to the PHI and whether that person has an independent obligation to protect its confidentiality;

The nature and extent of the PHI involved, e.g, the level of financial or clinical sensitivity, and the potential ability for patients to be individually identified;